The Hacker Mind Podcast: Beyond MITRE ATT&CK
Just because you have a tool, like ATT&CK, you might not realize its full potential without someone being there to guide you … at least in the beginning.
Frank, now the chief innovation officer and co founder of Tidal Security, returns to The Hacker Mind to discuss the ATT&CK, only this time from the perspective of his new company. He talks about the community platform that Tidal Security launched at Black Hat USA 2022.
Vamosi: I just returned from Hacker Summer Camp 2022. And it was great to meet up with everyone once again in real life. And to hear to hear the technical talks in a ballroom. I even got some training on the side from Google and others. Training is important. Just because you have a tool, like VirusTotal, you might not realize it’s full potential without someone being there to guide you along the way … at least in the beginning.
I’m reminded of when I trained to use Kali Linux. Kali is a swiss army knife of useful tools. But the overwhelming number of tools is daunting. And without follow up training, it’s hard to really know what’s included. Or when certain tools might be useful. So, even though you will hear others tell you how great Kali is -- and it is -- you may only unlock a quarter of it -- even if you use it every day. So you need someone to guide you through it.
Which leads me to this short The Hacker Mind episode. While I’ve been able to attend conferences remotely, those remote conferences haven’t been able to replicate LineCon.
LineCON is when you’re queued up for a talk or an event and someone starts taking to you. A lot people were coming up to talk to me Black HAt this year, and I do get a lot of great material just by running into people casually.
It’s always interesting for me to hear how different people are approaching the same problems in infosec. Everyone’s got a unique perspective. There are the vendors, right? They have their pitch, their angle. But there are the people who actually work in the SOCs, on the pen testing teams. In some cases they’re taking open source, community-based tools and leveraging them in creative new ways against common threats. Like MTIRE’s ATT&CK framework. And in a moment I’ll re-introduce you to someone I’ve interviewed before who’s taking ATT&CK to the next level. I hope you’ll stick around. .
Welcome to The Hacker Mind, an original podcast from ForAllSecure. It’s about challenging our expectations about the people who hack for a living.
I’m Robert Vamosi and in this short post-Hacker Summer Camp episode I’m following up on a previous interview, and seeing how the work that was done to create a tool commonly used today has lead to a new business of teaching people how best to use that tool to figure what security solutions an organization might actually need.
In May 2021, for Episode 20 of The Hacker Mind, I interviewed Frank Duff was then the Director of ATT&CK Evaluations for MITRE Engenuity. Here’s how he described ATT&CK
Duff: ATT&CK itself is just a project within the MITRE Corporation, right, so it was originally spun up as a research and development effort that was being done about eight years ago now.
Vamosi: Perhaps a bit more background is needed. First MITRE and then ATTACK.
Formed in 1958, MITRE, which is an acronym for MIT Research Establishment, is aa not-for-profit organization that manages federally funded research and development centers (FFRDCs). It traditionally supports the research for several U.S. government agencies such as the FAA, the IRS, the Department of the Defense, Department of Homeland Security, Centers for Medicare and Medicaid and NIST. Perhaps more relevant to security, MITRE maintains the Common Vulnerabilities and Exposures (CVE) system and the Common Weakness Enumeration (CWE) project.
A few years ago, MITRE came up with Att&ck -- that’s capital A-T-T, ampersand, capital C-K. It's a framework that describes tactics and techniques commonly used by criminal hackers and state adversaries, and it is proving to be useful when considering threat models.
Here’s how Frank described the founding of ATT&CK as a couple of blue teamers sitting around a table discussing how best they could present their findings to the people who actually make the decisions.
Duff: Time gets foggy, but but a long time ago and in a prior life right like I was sitting there as a blue Teamer. We had red teams that were coming at us every other month to assess our, our advances as, as the defenders, and we needed a common lexicon, to be able to describe what the red team was doing to a way that people like me as the blue team could understand. So I was I was not the guy that came up with the idea from ATT&CK from any points, I was I was on the defender side, right, like I came down and at the time, we were looking at how to improve the visibility within our networks right so everybody was focused on antivirus at the time, and keeping the bad guys out and and I think the median dwell time which is like the the time it took for an adversary to be detected was somewhere around 210 days if I recall, on average, right, that that's, that's a substantial part of a year. And so think about what a bad guy could do in your network for half a year plus, right, that's, that's not a good feeling and so we start up the research project to try to say okay well what can we do to defend against the adversary once right. And so we started building out our own sensors, because this was before the the time to EDR, those before the time of Sysmon or anything like that, we were like, alright, let's build out our own sensor that can capture process information and and command line arguments and let's figure out how we can advance defenses and. And so I was on that team, creating a bunch of those analytics using sensors we had homebrewed and then the rest is history we've, we've continued to evolve ATT&CK and evolve our work program and I went from a defender to a guy that manages a bunch of red teamers to do the evaluations. So it's it's a fun time
Vamosi: So ATT&CK started as a workshop exercise to document common tactics, techniques and procedures, TTPS, that advanced persistent threats used against Windows Enterprise environments, advanced persistent threats are just as they seem. They're the long game operations where something as small as a single phishing email could escalate into millions of IDs being exfiltrated.
Duff: And so, out emerged this Excel spreadsheet of different behaviors that the red team was performing, which would allow us to focus rather on hashes, or specific malware, it allows us to focus on the higher level behaviors to improve our defenses. And what we found was as we were trying to report up our value of doing these Red Team Blue exercises which we loved because they were super fun, but we had to sell the management of why they're doing these every other month.
Vamosi: Toward the end of his time at MITRE, Frank began conducting evaluations of security products against ATT&CK for MITRE ENGINUITY. Taking what the vendor said it could do against what ATT&CK said you needed to do to mitigate certain threats. If you want to learn more about MITRE Enginuity, or the ATT&CK framework, I suggest you go back and listen to EP 20 of the Hacker Mind.
Flash forward to Hacker Sumer Camp 2022, and . Standing in a hallway in Mandalay Bay, Frank told me the value in what his new company does for organizations running ATTACK is …
Duff: allow them to define the threats that matter to them. Allow them to define the defensive solutions that they have. And from that understand how their well they are protected and give them recommendations on how to improve.
Vamosi: And this new venture grew squarely out of the need for organizations to use ATT&CK but also to not take on more tools, and, in some cases, maybe remove some tools that no longer are needed.
Duff: Yeah, yeah. One of the challenges that I had at MITRE as well as the other founders is that we recognize that there's this challenge that organizations are having an adopting Attack. Attack has grown up substantially since it was initially released to describe the variety of adversary behaviors. But what that means is now it's becoming a much larger problem for people to deal with. So what we wanted to do is go off and develop a company that would give organizations the tools that they need to really make it their own. They offer a community platform that can assess, organize, and optimize
Vamosi: So MITRE’s ATT&CK is based on indicators of comprise gathered over years of research. It’s valuable for industries. Say, for example, you are in oil and gas. You can look at ATT&CK and see what attacks you are likely susceptible to and then you drill down into the different tactics. Armed with this spcific knowledge that others in your industry have been victim to these tactics before, you can then fortify your own networks against specific tactics. What’s good is that you can focus. What Frank’s new business is it helps other organizations look at that ATTCK model for their industry and then look at the tools they have, or might still need. Rather than -- I need a firewall -- maybe ATT&CK suggests a specific type of firewall. And maybe it’s not the firewall you currently have.
Duff: Yeah. And so so similar with that vein, right attack is the gold standard, right. And so we wanted to be able to just make it, give it more context. So we have a community platform we just launched on on the Wednesday of Blackhat. That is centered around providing the information that attacker would provide, but then adding in unique data sets. One of those data sets is a product registry that we have, where vendors are working with us to define their capabilities as they relate to attack. And then we publish that information free for anybody to access similar into the vein of attack. What attacker has done to build a community is absolutely amazing. We just want to be able to add to it in our own way by giving people not just information about the threat but what to do about the threat.
Vamosi: In EP 49, I talked about Living off the Land, a attack strategy that uses existing applications on a victim’s machine, as opposed to downloading a new Zero Day or something cool like that. Living off the land or fireless malware is a threat actor leveraging the utilities readily available on a system. These could be in the operating system, or it could be a third party that's been added. It's a sneaky way to exploit a system without any of the existing preventative tools.
Duff: Yeah, so living off the land is how a lot of these sophisticated adversaries move around with their right the whole theory behind persistent threats, right. They're called persistent for a reason. Right? They will get in they will find some new vulnerability to get into the system. So there's only so much that you can do with vulnerability and it's important, but it's only part of the problem. But once they get in, how do they operate, and a lot of them just use the same tools that your system administrators would use to move around the environment. And so then it becomes Okay, well, how can you defend against this? And it's challenging, right? Because those are the same behaviors that real users real administrators are using. So oftentimes it becomes noisy things and they're just using it in a more nefarious way. And so that's really where where it becomes tricky to defend in in that regard.
Vamosi: What Frank’s company is doing is not too far from the evaluations he performed at MITRE Enginuity, where he compared the claims of different security vendors to the results he was able to test. IT was designed as a report card, so organizations can access whether or not a security tool does what it says it is supposed to do.
Duff: This is about security stack optimization, I guess is one way you could look at it. Right? So being able to know that you have the tools that they're configured in a way that will actually be able to defend you against the threats whenever they come up. So being able to know that you have this EDR this MDR and that they're configured in a proper way so that they're going to tackle the threats that matter most to you.
Vamosi:So Tidal, in a sense, is performing a vendor evaluation of the tools that you already have, mapped to the tools that you actually need for the threats you face.
Duff: Right, it's it stops short, it doesn't hesitate to call it evaluation just from the standpoint that we are taking vendors words for this registry, right vendors are giving us their data. We do structure it we do require additional information about it that hopefully gives it better context and, and believability. understandability all those good things. But at the end of day, we're trusting the vendors to give us the information that that will actually enable end users. We're just trying to bring a layer of transparency to it and structure around it that was a really drive forward.
Vamosi: So where are you seeing the initial uptake and interest in this product?
Duff: So it's been great to see that we've we've had a lot of interest from the vendor themselves in contributing right and that's a very important thing for our strategy. We wanted, we had hoped that vendors would give us their data and would want to drive forward on this transparency because we do want to have this community platform at the core that we can build on right we all come from all three founders come from mitre and we all have that public interest kind of mission still right. And so we really hope that that'd be a case and to see the vendors that have either given us data or have committed to using or to providing the data in the coming weeks. It's a really solid list of vendors that are jumping into that and that will empower the end user community right, the ones that have to do their attack research day to day, but don't want to just have to look here at attack, and here at this GitHub repository and here at this other GitHub repository and here at this other online resource, right if we can consolidate all that information, so that now it's all just searching within one platform, right? That's something that's much more powerful them and will make them hopefully optimize their workflows, right.
Vamosi: To measure their security responsiveness, organizations use different teams. There’s the red team, which is constantly looking for the latest attacks to use against their company to test its responsiveness. There’s the blue team which is there to fend off the attacks of the red teams. Is this going to be useful for Red Team and blue team?
Duff: Yeah, absolutely. So it's got a lot of different use cases around it right. As I said the the chief use case for enterprise customers would be able to define their threats to be able to find their defense is part of that's their customization. Right? So we talked with a lot of organizations that have custom attack techniques, things that their red team does, or things that their defenders have developed in terms of analytics, right. And so what we want to be able to do is allow them to encapsulate that information in addition to all the information that attack has, so there's absolutely room for being able to define new techniques, being able to say what you've tested what the results were being able to define the analyst you wrote and what special circumstances it works or it doesn't work, all those things are things that are going to be coming to the platform.
Vamosi: And then organizations employ the occasional pen testers who swoop in for two-week engagements, testing within a scope defined by the organization hiring them. Often this is for compliance and regulatory needs.
Duff: So pentesting is an interesting corollary, right? Because at the end of day, they're going to be more focused on vulnerabilities and getting into systems. That is definitely part of attack though right when you consider that there is the places initial access and before right being able to figure out how to get in. We do even have a vendor that specializes in doing more of the pentesting or getting into the enterprise in terms of like the attack surface and so it definitely plays a role. But with all things attack attack is much more focused on the post exploit behaviors which tend to go more towards red teaming and blue teaming in that light.
Vamosi: Organizations of course have security operations centers or SOCs. Is there a place for the SOC?
Duff: Absolutely. So what I look back on, it definitely tailors to threat hunting and the more preparedness aspects of the sock, so developing the rules, so the next time something happens, you have it but a lot of the organizations that we're dealing with from our early customers are the ones that are in the sock themselves, right the ones that have to take the threat intel, it's coming through being able to translate that to big art. So what else am I supposed to be looking for? And being able to easily pivot on that data to understand how techniques are interrelated and what you have in your stack that can hopefully defend against that right I mean, that's gonna be a powerful thing.
Vamosi: So organizations already have a lot of reports coming in. I spoke to someone on my flight back from Hacker Summer Camp who said he has all reports he needs for compliance, but he needed someone junior to come in and analyze each and report out what’s important. So I’m curious what the output might look like there. Is this just another report?
Duff: Right, so So one of the things that one of the use cases that I like to talk about is specifically one that I did back in my middle years of my mitre career, which was right around detection engineering, right. And so I would get tasked by my sock manager to write a new analytic basis on adversary behavior we'd seen, right, that would have required me to go look at attack, go look at sigma, their GitHub lists and go figure out how to write that in Splunk. Talk to some engineers about what tools I have, figure out what data sources I can give. Right now we've got to the ability where you can go and do all that research with it, right? Being able to look in one platform one space to be able to pull the thread on all that information, but what tools are providing what data source what analytics use that data source, so that you can tackle that that behavior that you care about. So the end result should be that now, analysts out there that detection engineer gets to write that rule at a much quicker speed be able to leverage the work that's already being done by the community and just being able to adopt it for their own own space. So they go write that roll, they now have that capability that then in future iterations would be able to actually register as a capability in our platform. And so that they know that that's something and that's that they built it for this reason, because it maps to this attack technique that it uses this data that it uses this product and then you know what if they leave the company, okay, what lives with them with that company? Right? And so I think that that's gonna be a really powerful thing.
Vamosi: So it's not really like a dashboard, but it's not really a report.
Duff: So right now it's, it's a combination of, so right now the communication is based around this knowledge base exploration. Right? So being able to just pull the thread on all these different aspects, right. But as we get forward, right, I mean, dashboards are inevitabilities of the community. But we make all our data available via API so you can pull it into your product if you want to use some other API, or some other product as your dashboard. So we'll be flexible as we need to do.
Vamosi: So for this new venture to be effective, they need input. They need input from vendors and users to build up a common database that in turn will be useful to the larger infosec community.
Duff: . I think that the biggest thing that I'd like to stress is really that. As I just referenced, the at the core is this community platform, right? This community platform really is trying to help analysts do their day to day the red teamer the blue teamer the CTI analyst. So, I would encourage anybody if there's data sets out there that you want to see us pull in if there's features that you want to pull in. Right. Those are things we're looking for, to really make it so that this can make threatened form defense actionable, right, it's to make attack actionable. We've got to be able to make the jobs a lot easier, right. We keep hearing about how hard it is. To hire people and how hard it is to train people. And part of that is because it requires so much custom knowledge or gain knowledge through the years, right, it's your if you've been in the industry for five years around the tack for all that time, worked out a couple like high performing companies, right. You kind of get all the intricacies of it and you know all the places to look for it. For the mass. Vast majority of users out there, they don't know that they want to attack but how to use it is a really big problem. So if you think that there's things that can help the community, make sure you let us know. Try out the platform and give us any feedback you have so we can make it better.
Vamosi: And there’s a definite need for this. With all the crazy new attacks, and attacks on different industries, it’s important that organizations within those industries have the right tools to proactively guard against compromise.
Duff: So so the need for it right now. I think that we hear a significant need for being able to again, like encapsulate what you do and what threats you need to care about. And so I think that there is a significant need right now. And it's just a matter of developing, developing, developing and getting all these features out so that we can provide that to the community. Awesome. And you guys announced here at BlackHat Yeah, we announced here at BlackHat that we had gone live with our community edition. And so so you can go and you can check out the tool you can see all the data pulls together. And then hopefully everybody gets some value out of that. And as we bring along more and more features that will help actually empower you to define what your organization looks like.
I’d like to thank Frank for the hallway interview at Black Hat 2022. His experience at MITRE and with his new work at Tidal will be valuable to the infosec community in the years to oome as we move beyond just saying someone got breached, into someone had a specific type of breach, and here were the tactics used.
I have so many stories about hackers who are making a positive difference in the world. I don't want you to miss out. Let's keep this conversation going. DM me @RobertVamosi on Twitter, or join me on Discord you can find the deets at the thehackermind.com
For the Hacker Mind, I remain Robert Vamosi